This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract POST data only

1
1

Basically I want to capture the message body of each POST request. This command is as far as I've gotten to it:

tshark -Y "http.request.method == POST" -T fields -e text

the "-e text" part because it's not documented anywhere here: https://www.wireshark.org/docs/dfref/

so why does it even work? Anyways, this is the output I get:

Source GeoIP: Unknown,Destination GeoIP: Unknown,No-Operation (NOP),No-Operation (NOP),Timestamps: TSval 91019450, TSecr 2163426594,[truncated] POST http://stat.youku.com/player/addPlayerDurationReport?sid=043779342708612ce98e9&videoOwnerId=400344858&viewUserId=0&videoid=322228882&ct=g&cs=2218&number=59&rnd=3.616&showid_v2=undefined&showid_v3=undefined&show_videotype=u,\r\n,HTTP request 1/1 Source GeoIP: Unknown,Destination GeoIP: Unknown,POST http://login.tudou.com/login.do  HTTP/1.1\r\n,Client-IP: 104.236.147.107\r\n,HTTP-X-REAL-IP: 104.236.147.107\r\n,X-Real-IP: 104.236.147.107\r\n,Proxy-Connection: Keep-Alive\r\n,\r\n,HTTP request 1/1,**[email protected]&password=05061145&remember=true&act=ajaxLogin2Json** Source GeoIP: Unknown,Destination GeoIP: Unknown,No-Operation (NOP),No-Operation (NOP),Timestamps: TSval 833911496, TSecr 2163426904,POST http://www.dolphinitalia.it/libraries/joomla/document/feed/renderer/cache.php?k=31 HTTP/1.\r\n,\r\n,HTTP request 1/1,**evpldjmr**

in bold ** are the parts that I want, without any truncation. Parsing that output through some other program is out of the question because it's

impossible to know where to split and where to look for the parts that I want. So how would I do this? Is there another undocumented field that

output exactly what I want?

asked 25 Jul '15, 09:43

im_a_lawyer's gravatar image

im_a_lawyer
26125
accept rate: 0%

edited 25 Jul '15, 09:47


2 Answers:

1

From an academic point of view I think you mean something like:

tshark -Y "http.request.method==GET" -Tfields -e http.request.full_uri

PLEASE think though, it is pretty much guaranteed to be illegal to obtain this if this is not already your information! Your Nick does not help me in this thought.

Whichever field you are interested in (you can look that up in Wireshark in required) should be substituted after -e

answered 25 Jul '15, 11:20

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

That only gives me the URL for each POST request. I want the actual POST data that goes with it: field=value&field2=value2...

Which field would give me just that? This is completely legal because this is all happening under our own organization and our own people.

(25 Jul '15, 11:40) im_a_lawyer
1

tshark -Y "http.request.method==POST" -Tfields -e data.data?

(25 Jul '15, 12:02) DarrenWright

Why GET? Also No, that didn't work. I just get blank lines:

http://i.imgur.com/fwn0hu3.png?1

(25 Jul '15, 12:06) im_a_lawyer

yeah, sorry ^^ POST should be there copy paste is bad.. I am having trouble finding a site I can POST to that isn't https.. You have blank lines with GET because there is not data.data

strange, when I do this (with POST) it delivers me the information. It is HEX, but you can convert that easily enough

(25 Jul '15, 12:14) DarrenWright
1

Then what does the "text" field do? Why isn't that documented? It appears to work somewhat, but if I do:

"http.request.method == POST && data.data", then not every POST request with data gets captured. Some go missing. What am I doing wrong? Is everyone 100% positive that data.data is what I should be using?

(25 Jul '15, 13:31) im_a_lawyer

I'm not even 10% positive that is what you should be using..

You are referencing a wireshark page whilst asking a tshark question, a small but important difference.

https://www.wireshark.org/docs/man-pages/tshark.html

scroll down to -e and -T for explanations of the fields. You may also want to look the at -E parameter.

-Y "http.request.method == POST" is fine for filter, you don't need to && anything to it. As for data.data: in my attempts, all the login info was contained there, mileage may vary. The easiest way is to open / start a capture in Wireshark, look at the field containing the Information you are interested in and use this as a -e PARAMETER next time.

(26 Jul '15, 10:22) DarrenWright

That field always has a different name. If I'm submitting a regular form, then that whole field is named: HTML Form URL Encoded: application/x-www-form-urlencoded If it's a multipart form then it is named: "MIME Multipart Media Encapsulation, Type: multipart/form-data

If raw data is sent then somehow it is still called multipart/form-data...

basically, data.data does not capture all POST requests, but since I'm probably only interested in form-data, then I'll just settle for:

-e urlencoded-form.key -e urlencoded-form.value

I'll accept your answer anyways

(26 Jul '15, 12:12) im_a_lawyer
showing 5 of 7 show 2 more comments

0

This got much easier with Wireshark 2.x or so. At least the following works for me with Wireshark 2.2.5 from Debian 9 but not with Wireshark 1.8.x from RHEL 6:

tshark -Y http.request.method==POST -Tfields -e http.file_data

I though would still be interested in a nice solution for Wireshark 1.8. Neither

tshark -Y http.request.method==POST -Tfields -e data.data

nor

tshark -Y http.request.method==POST -Tfields -e text

are really useful without further manual decoding.

answered 29 Mar '17, 06:01

XTaran's gravatar image

XTaran
6123
accept rate: 0%